Crypto won't save you

Peter Gutmann is a researcher in the Department of Computer Science at the University of Auckland working on design and analysis of cryptographic security architectures and security usability. Having been part of the team that wrote the popular PGP encryption package, you'd expect that he'd put a lot of trust crypto.

But like cryptographer Adi Shamir, the 'S' in RSA, who once said "cryptography is bypassed, not penetrated", Gutmann used his presentation at AusCert 2014 to highlight the inherent weakness in how we treat security. Cryptography is often seen as a silver bullet solution but is has failed.

During his talk, Gutmann looked at ten years of trying to secure things with crypto that ultimately failed. And, even though is some cases the crypto was so weak that it could be easily beaten, it was much easier to just bypass it.

As did many of the presenters at AusCert 2014, Gutmann started with some references to Edward Snowden, the poster boy for data theft or information liberation depending on your point of view. Among the documents exposed by Snowden was information pertaining to Project BULLRUN. Funded to the tune to of between $250M to $300M, this is a US government initiative designed to develop "capabilities against a technology".

BULLRUN has developed capabilities against TLS/SSL, HTTPS, SSH, VPNs, VoIP and webmail according the documents Snowden leaked.

As Gutmann puts it "You're not paranoid, they really are out to get you".

Gutmann's presentation delivered a history of how sophisticated cryptography has been overcome. For example, he described how most of the major gaming consoles use crypto as a way of securing systems and limiting access to user data. However, all have been hacked to some degree.

"In none of the cases was it necessary to break the cryptography," said Gutmann.

The same went with smartphones with a common method being a hack of firmware to simply bypass any embedded crypto or recovery of private keys from supposedly secured storage.

By the end of this part of Gutmann's presentation there was probably no one in the audience who wasn't carrying a device that hadn’t ben compromised.

Some research in 2012 looked at a number of about 12000 very large organisations including Amazon, Apple, Dell, eBay, HP, HSBC, LinkedIn, Paypal and Twitter. A third of the companies were using keys "so weak that an individual attacker could have broken them," said Gutmann.

However, in none of the case did anyone bother as it was unneccesary in order to compromise systems. In other words:

Number of attacks that broke the crypto: 0

Number of attacks that bypassed the crypto: All the rest

"No matter how strong the crypto was, or how large the keys were, the attackers walked around it," he added.

Gutmann took a long, hard look at IPsec, the protocols used to secure IP communications. He pointed out that it has a number of errors and is not as secure as many believe. The NSA contributed to development of the IPsec standard with Gutmann citing information from Niels Ferguson and Bruce Schneier's "A Cryptographic Evaluation of IPsec" saying " the ISAKMP specifications [the NSA’s main overt contribution to IPsec] contain numerous errors, essential explanations are missing, and the document contradicts itself in various places".

Despite this, Gutmann did stop short of saying that IPsec was deliberately sabotaged saying " Never attribute to malice what is adequately explained by a committee".

The lesson from all of this is that you need to secure every part of the system and not just throw crypto at one bit and assume that you'll be safe. It's not enough to simply rely on standards and to follow the crowd. Understanding security, not just from an appliance and software solution point of view is not enough.

Security professionals have said for many years that good security is based on layers. That remains true but putting too much trust in one layer, like crypto, can leave you vulnerable in other places.

Latest Videos

​Email fraud is nothing new, but online criminals have become ever more-effective at spoofing their identities to trick employees into sending them money. The Australian Centre for Cyber Security (ACSC) recorded losses of over $20M to business email compromise (BEC) attacks last year alone, up 230 percent over the previous year – and the full amount is certain to be much larger.​

No matter how robust your security, or how diligent your employees, network credentials are a free pass for cybercriminals. This is mostly because employees are relied upon for their own password management. And with more than 4.8 billion sets of stolen credentials said to be available online, odds are that at least a few of your employees’ user IDs and passwords are just waiting to be used by unscrupulous outsiders. Are you ready to stop them?

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.